Malicious RTF / .DOC — malware analysis report

Static analysis result for SHA-256 2023b69415827a06…

MALICIOUS

RTF / .DOC

1.39 MB
MD5: b1f8aca2f6dde172735098c97e1b84e8 SHA-1: 8a0757105a9354585f94b484039b2f9f5602bf65 SHA-256: 2023b69415827a06a80ccab79bbb7b6447cd3d5873b5faa2231397f59c1ea3f4
180 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution

The sample is an RTF document that contains embedded OLE objects, specifically triggering heuristics related to Equation Editor. The critical heuristic 'RTF_EQUATION_EDITOR' and high heuristic 'CVE_2017_11882_ACTIVATION_RELATED' strongly indicate the exploitation of the CVE-2017-11882 vulnerability. This vulnerability allows for arbitrary code execution when the embedded object is activated.

Heuristics 5

  • Equation Editor activation — CVE-2017-11882 related high CVE related CVE_2017_11882_ACTIVATION_RELATED
    RTF decodes to an Equation.3 ProgID and requests OLE activation with \objemb plus \objupdate. This reaches the legacy Equation Editor attack surface used by CVE-2017-11882/CVE-2018-0802 documents, but the malformed MTEF/native payload needed for stronger attribution was not recovered.
  • Split hex Equation Editor ProgID + OLE object critical RTF_EQUATION_EDITOR
    RTF embeds the Equation.3 ProgID as hex bytes near OLE object activation and splits the byte stream with whitespace or an ignorable RTF group. This is an Equation Editor OLE activation surface commonly used by CVE-2017-11882 / CVE-2018-0802 exploit documents.
  • \objupdate forces OLE activation high RTF_OBJUPDATE
    RTF contains \objupdate — forces automatic OLE object instantiation when the document is opened, bypassing user interaction. Almost exclusively seen in Equation Editor exploit documents.
  • OLE object data medium RTF_OBJDATA
    RTF contains 2 \objdata section(s) — embedded OLE objects
  • Embedded OLE object medium RTF_OBJEMB
    RTF contains \objemb — embedded OLE object

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
objdata_00_off000011e1.bin
71cb879e802e8ae252d7d92d5a076cc39e98762bcec82908395fd82a2ca83166		 rtf-objdata-decoded RTF \objdata at offset 0x11E1 53326 bytes
objdata_01_off0002eced.bin
5d913e0bdd4543b59117490fda1dba3c38edbcd2b81c5376d07402a696f7c2ab		 rtf-objdata-decoded RTF \objdata at offset 0x2ECED 346025 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.